41-80 Flashcards
(40 cards)
Which command do you enter to verify the Phase 1 status of a VPN connection? A. debug crypto isakmp B. sh crypto session C. sh crypto isakmp sa D. sh crypto ipsec sa
sh crypto isakmp sa
What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled
the amount of bandwidth available
the type of analysis the IPS will perform
Which information can you display by executing the show crypto ipsec sa command?
A. proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers
IPsec SAs established between two peers
Which command enables port security to use sticky MAC address on a switch?
A. switchport port-security
B. switchport port security mac-address sticky
C. switchport port-security violation protect
D. switchport port-security violation restrict
switchport port security mac-address sticky
When would you configure ip dhcp snooping trust command on a switch?
A. when the switch is connected to DHCP server.
B. when the switch is connected to client system.
C. when the switch is serving as an aggregator.
D. when the switch is working in an edge capacity.
when the switch is connected to DHCP server.
Which IDS/IPS state misidentifies acceptable behaviour as an attack? A. false positive B. false negative C. true positive D. true negative
false positive
How is management traffic isolated on a Cisco ASR 1002?
A. Traffic is isolated based upon how you configure routing on the device.
B. There is no management traffic isolation on a Cisco ASR 1002.
C. The management interface is configured in a special VRF that provides traffic isolation from the default routing table.
D. Traffic isolation is done on the VLAN level
The management interface is configured in a special VRF that provides traffic isolation from the default routing table.
(SIM1 Q1) Which user authentication method is used when user login to the Clientless SSL VPN portal using https://209.165.201.2/test ?
A. Both Certificate and AAA with local database.
B. AAA with RADIUS server.
C. Both Certificate and AAA with RADIUS server.
D. AAA with LOCAL database.
E. Certificate
AAA with LOCAL database.
(SIM1 Q2) When users login to the Clientless SSL VPN using the https://209.165.201.2/test which group policy will be applied? A. test B. Sales C. DefaultRAGroup D. DefaultWEBVPNGroup E. clientless F. DFTGrpPolicy
Sales
(SIM1 Q3) Which two statements regarding the ASA VPN configurations are correct? (Choose two)
A. The Inside-SRV bookmark has not been applied to the Sales group policy.
B. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_Trustpoint1.
C. The Inside-SRV bookmark references the https://10.2.1.1 URL.
D. Anyconnect, IPsec IKEv1 and IPsec IKEv2 VPN access is enabled on the outside interface.
E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy.
F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method
Only Clientless SSL VPN VPN access is allowed with the Sales group Policy.
The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method
(SIM1 Q4) Which four tunnelling protocols are enabled in the DfltGrpPolicy group policy? (Choose four) A. IPsec IKEv1 B. IPsec IKEv2 C. L2TP/IPsec D. Clientless SSL VPN E. SSL VPN Client F. PPTP
IPsec IKEv1
IPsec IKEv2
L2TP/IPsec
Clientless SSL VPN
There are two versions of IKEv1 and IKEv2. Both IKEv1 and IKEv2 protocol operate in phases. IKEv1 operate in two phases. IKEv2 operates in how many phases?
A. 2 B. 3 C. 4 D. 5
2
Which command successfully creates an administrative user with a password of “cisco” on a Cisco router?
A. username Operator privilege 7 password Cisco
B. username Operator privilege 1 password Cisco
C. username Operator privilege 15 password Cisco
D. username Operator password cisco privilege 15
username Operator privilege 15 password Cisco
Which IPS detection method examines network traffic for preconfigured patterns? A. signature-based detection B. policy-based detection C. anomaly-based detection D. honey-pot detection
signature-based detection
What is the main purpose of Control Plane Policing?
A. to prevent exhaustion of route-processor resources.
B. to define traffic classes.
C. to organize the egress packet queues.
D. to maintain the policy map.
to prevent exhaustion of route-processor resources.
What action must you take on the ISE to blacklist a wired device?
A. Issue a COA request for the device’s MAC address to each access switch in the network.
B. Add the devices MAC address to a list of blacklisted devices.
C. Locate the switch through which the device is connected and push an ACL restricting all access by the device.
D. Revoke the device’s certificate so it is unable to authenticate to the network.
Add the devices MAC address to a list of blacklisted devices.
Which term is most closely aligned with the basic purpose of a SIEM solution? A. Causality B. Accountability C. Non-Repudiation D. Repudiation
Accountability
basic purpose of a SIEM solution ##
Which statement about the native VLAN is true?
A. It is the Cisco-recommended VLAN for user traffic.
B. It is most secure when it is assigned to VLAN1.
C. It is susceptible to VLAN hopping attacks.
D. It is the Cisco recommended VLAN for switch-management traffic.
It is susceptible to VLAN hopping attacks.
How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them into EAP and forwards them to the authentication server.
The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into RADIUS and forwards them to the authentication
Which IKE phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared key? A. group B. hash C. authentication D. encryption
authentication
How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Configure twice NAT instead of object NAT.
B. Add the no-proxy-arp command to the nat line.
C. Assign the output interface in the NAT statement.
D. Use packet-tracer rules to reroute misrouted NAT entries.
Assign the output interface in the NAT statement.
What is the minimum Cisco IOS version that supports zone-based firewalls? A. 12.4(6)T B. 15.1 C. 15.0 D. 12.1T
12.4(6)T
Which type of firewall can perform deep packet inspection? A. stateless firewall B. packet-filtering firewall C. application firewall D. personal firewal
application firewall
What is the best definition of hairpinning?
A. traffic that enters and exits a device through the same interface
B. traffic that tunnels through a device interface
C. traffic that enters one interface on a device and that exits through another interface
D. ingress traffic that traverses the outbound interface on a device
traffic that enters and exits a device through the same interface
